Securities, Security & Transparency
A “tipping point” is the culmination of small events that cause a significant change. Malcolm Gladwell tells us it comes from the world of epidemiology: that point in time in an epidemic where a virus reaches critical mass. Have we now seen the tipping point where business takes cybersecurity far more seriously than ever before?
I’m referring to the issuance of guidance on reporting corporate cyber risk management. Why might this be a “tipping point? Because it didn’t come from the Federal Trade Commission, a Canadian Privacy Commissioner or a European Data Protection Authority – it came from the Securities and Exchange Commission (“SEC”). Cybersecurity now seems to be drawing the attention of securities regulators. It would seem that concerns about cyber risks — with the potential to negatively impact a company’s financial performance – have reached a point where cyber risk management warrants public disclosure.
Granted it’s not a rule, regulation or statement – think recommendation — but the fact that it comes from the SEC will no doubt make people serious about money sit up and take notice. And many a recommendation has eventually become a rule. If you’re Canadian and think of this as only an American development, please note that a good number of public Canadian companies are interlisted on American stock exchanges.
Securities laws in the United States and Canada require public companies to disclose information to allow potential investors to know about risks and events that may influence a decision to invest in that company. “Timely”, “comprehensive” and “accurate” are the adjectives most often used to describe the kind of information disclosure required. And, without compromising security, the SEC wants the details:
“Depending on the registrant’s particular facts and circumstances, and to the extent material, appropriate disclosures may include:
- Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
- To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
- Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
- Risks related to cyber incidents that may remain undetected for an extended period; and
- Description of relevant insurance coverage.”
What I think is significant is that this new SEC guidance extends beyond breach notification for personal information to disclosures about corporate data including the “misappropriation of assets or sensitive information, corruption of data or operational disruption.” (Ironically, the SEC had to issue its own breach notification the week before it issued these cybersecurity guidelines.) While not about personal information per se, measures to mitigate such risks will likely result in the protection of personal information as well. As sailors know, rising tides lift all boats.
Also significant is that the SEC suggests that cyber incidents be taken up in the “Management’s Discussion and Analysis of Financial Condition and Results of Operations” (“MD&A”) section of filings.
“For example, if material intellectual property is stolen in a cyber attack, and the effects of the theft are reasonably likely to be material, the registrant should describe the property that was stolen and the effect of the attack on its results of operations, liquidity, and financial condition and whether the attack would cause reported financial information not to be indicative of future operating results or financial condition. If it is reasonably likely that the attack will lead to reduced revenues, an increase in cybersecurity protection costs, including related to litigation, the registrant should discuss these possible outcomes, including the amount and duration of the expected costs, if material. Alternatively, if the attack did not result in the loss of intellectual property, but it prompted the registrant to materially increase its cybersecurity protection expenditures, the registrant should note those increased expenditures.”
If I was a CISO for a public company I’d try to ensure my senior management didn’t have to sign off on an MD&A statement that included cyber incidents. Why? Because I wouldn’t want the CEO to ask why I didn’t reduce the risk of such incidents in the first place or, heaven forbid, start thinking maybe it’s time to replace me.
I’m not suggesting that this is an across-the-board problem - this recent story points out that the energy industry considers “cybercrime” to be a larger problem than terrorists. However, the proliferation of data breaches, the increase in cyber incidents, the reports of cyber espionage — all point to the fact that cyber security is no longer a risk to be euphemistically “managed”. For public companies, to do so would soon reveal to the world just what kind of job their executives really do concerning cybersecurity — and maybe not in a good way.
No one should expect perfection or absolute cyber-security – the world moves too fast these days – but now transparency mechanisms for shareholders are to be used to highlight the issue. This “spotlight”, however narrow it might be, may result in better security postures and ultimately better data protection.